Aad Audit Event From First Party Apps
Query
// Get a list of first party apps from Entra ID Audit Log with summarized operations
_GetWatchlist('WorkloadIdentityInfo')
| where IsFirstPartyApp == "true"
| extend Identity = tostring(AppDisplayName)
| join kind=inner ( AuditLogs
| where TimeGenerated >ago(365d)
) on Identity
| summarize make_set( OperationName ) by AppDisplayName, ServicePrincipalObjectId, AppIdExplanation
This query is designed to extract and summarize information about first-party applications from the Entra ID Audit Log. Here's a simple breakdown of what it does:
-
Retrieve First-Party Apps: It starts by accessing a watchlist named 'WorkloadIdentityInfo' to get a list of applications, filtering to include only those marked as first-party apps (
IsFirstPartyApp == "true"). -
Extend Identity: It creates a new column called
Identitythat contains the display name of the application (AppDisplayName). -
Join with Audit Logs: It performs an inner join with the
AuditLogstable, which contains logs of various operations. The join is based on theIdentity(application display name) to match entries from both sources. -
Filter by Time: The query only considers audit log entries generated within the last 365 days (
TimeGenerated > ago(365d)). -
Summarize Operations: Finally, it summarizes the data by creating a set of unique operation names (
make_set(OperationName)) for each application. This summary is grouped by the application's display name (AppDisplayName), its service principal object ID (ServicePrincipalObjectId), and its application ID (AppId).
In essence, the query provides a list of first-party applications along with a summary of the operations they have performed over the past year, identified by their display names, service principal IDs, and application IDs.
Details

Thomas Naunheim
Released: March 5, 2024
Tables
Keywords
Operators